Unleashing the Power of BatCloak Engine: Cybercriminals Achieve Complete Malware Stealth

Since September 2022, cybercriminals have been utilizing BatCloak, a powerful and fully undetectable (FUD) malware obfuscation engine, to deploy a range of malware strains. Despite persistent efforts by antivirus software, BatCloak has managed to evade detection, enabling threat actors to seamlessly load various malware families and exploits through heavily obfuscated batch files.

According to researchers at Trend Micro, out of the 784 artifacts discovered, an alarming 79.6% remain undetected by all security solutions, underscoring BatCloak's effectiveness in bypassing traditional detection mechanisms.

The Mechanics in the BatCloak Engine

Jlaive, an off-the-shelf batch file builder, relies on the powerful BatCloak engine for advanced security evasion. It can bypass Antimalware Scan Interface (AMSI), encrypt and compress payloads, and serves as an "EXE to BAT crypter."

Although the open-source tool went missing from GitHub and GitLab shortly after its release by ch2sh in September 2022, other actors have cloned, modified, and even ported to Rust. The final payload lies concealed within three loader layers: a C# loader, a PowerShell loader, and a batch loader. This batch loader, the starting point, decodes and unpacks each stage to activate the hidden malware. Researchers Peter Girnus and Aliakbar Zahravi highlighted the presence of an obfuscated PowerShell loader and an encrypted C# stub binary within the batch loader. Ultimately, Jlaive leverages BatCloak as a file obfuscation engine to protect the batch loader, storing it on a disk.

ScrubCrypt: The Next Evolution of BatCloak

BatCloak, a highly dynamic malware obfuscation engine, has undergone significant advancements and adaptations since its initial emergence. One of its recent iterations, known as ScrubCrypt, gained attention when Fortinet FortiGuard Labs connected it to a cryptojacking campaign orchestrated by the notorious 8220 Gang. The developer's decision to transition from an open-source framework to a closed-source model was motivated by the successes of previous ventures like Jlaive and the objective of monetizing the project and safeguarding it against unauthorized replication.

Researchers assert that ScrubCrypt seamlessly integrates with various prominent malware families, including Amadey, AsyncRAT, DarkCrystal RAT, Pure Miner, Quasar RAT, RedLine Stealer, Remcos RAT, SmokeLoader, VenomRAT, and Warzone RAT. This evolution of BatCloak exemplifies its adaptability and versatility as a powerful FUD batch obfuscator, underscoring its prevalence in the ever-evolving threat landscape.